Websense® Security Labs™ researchers are aware of a zero-day vulnerability affecting Internet Explorer that could allow a remote, unauthenticated attacker to bypass the Same-Origin Policy (SOP) to hijack the user’s session. The vulnerability is being called Universal Cross Site Scripting (XSS), as it allows the attacker to hijack the session using any third-party website, as long as the victim uses the Internet Explorer browser.

The Same-Origin Policy (SOP) is a critical security measure used in web applications to ensure the confidentiality and integrity of information. Scripts running on different websites are not permitted to interact with each other, and cookies use SOP to ensure that the information for a given user's activity pertains to only one site. This mechanism allows for secure communication across multiple web properties and allows user sessions to be maintained without the need for re-authentication.

Exposure

The attacker could exploit the vulnerability by enticing the victim to visit a specially-crafted website. Successful execution via JavaScript of the proof of concept exploit code released on Jan 31, 2015 has been observed on Internet Explorer 11 running on both Windows 7 and Windows 8.1.

Microsoft has not yet released a patch for the vulnerability, which has been assigned the identifier CVE-2015-0072.

Impact

Successful exploitation could allow an attacker to hijack the user’s session or gain access to sensitive information. The vulnerability could also be used in phishing attacks. Once the attacker has access to the user's cookies, all data normally restricted for use by the user would be available to the attacker and the attacker could impersonate the victim. The vulnerability can be easily exploited and is rated critical.

Mitigation

Websense customers are protected against attacks targeting the vulnerability (CVE-2015-0072) with ACE, our Advanced Classification Engine, which is used to prevent the malicious scripts from being downloaded to the victim’s machine.

Websense researchers are not aware of active exploitation of this vulnerability at the time of publication of the blog, although, as mentioned earlier, proof of concept code is publicly available.

Customers are encouraged to apply the patch from Microsoft as soon as it becomes available. You could also decide to use an alternative browser in place of the vulnerable versions of Internet Explorer.

Websense Security Labs will continue to monitor the situation and provide updates as needed.